Releases: ParaParty/certdx
Releases · ParaParty/certdx
Release list
v0.6.0
certdx v0.6.0
v0.6.0 standardizes mTLS files and install paths, adds native Linux
packages, and updates dependencies.
New features
- Added
.deband.rpmpackages for Linux AMD64, ARM64, and ARMv7. - Added FHS-aware paths and hardened systemd services.
Breaking changes
There is no compatibility shim for the old mTLS format.
- Separate certificate and key files are replaced by single PEM bundles.
Config files and Caddyfiles now use onepemfield instead ofca,
certificate, andkey. certdx_tools make-servernow requires--name/-n.certdx_serverandcertdx_clientnow require--conf <path>.- Current-working-directory path discovery has been removed.
--mtls-diris replaced by--data-dirorCERTDX_DATA_DIRon the
server and tools. The client no longer accepts a data-directory option.- FHS installs use
/etc/certdx/mtls/for mTLS bundles and
/var/lib/certdx/for runtime state. - Library users must migrate to
pkg/mtlsand handle the new errors from
path and server constructors.
Before upgrading, back up existing certificates and state, regenerate or
convert mTLS bundles, and update all server, client, and Caddy configuration.
See the v0.6.0 migration guide for commands
and configuration examples.
Full changelog: v0.5.0...v0.6.0
v0.5.0
What's Changed
- Prevents duplicate Tencent Cloud certificate uploads by @ExerciseBook in #21
- Adds Kubernetes certificate updater by @ExerciseBook in #22
- docs: config wiki and setup guide generated by Claude Opus 4.7 by @LDLDL in #23
- feat: add e2e test by @LDLDL in #24
- refactor: extract pkg/{domain,retry,paths,api} from pkg/{utils,types} (slice 1/9) by @nicognaW in #35
- refactor: replace appengine.MultiError with errors.Join + %w wrapping (slice 2/9) by @nicognaW in #37
- refactor: tighten cache-entry refcount + Stop signaling (slice 4/9) by @nicognaW in #38
- refactor: harden mtls tooling (slice 3/9) by @nicognaW in #36
- refactor: thread context.Context, replace cert-cache broadcasts with sync.Cond (slice 5/9) by @nicognaW in #39
- refactor: gRPC failover with session ctx, drop atomic.Pointer reset (slice 6/9, HIGH RISK) by @nicognaW in #41
- refactor: group acme providers (slice 8/9) by @nicognaW in #40
- refactor: consolidate certdx_tools dispatch + short aliases (slice 7/9) by @nicognaW in #42
- docs: refresh setup/server/tools, add CONTEXT.md and ADRs (slice 9/9) by @nicognaW in #43
- fix: restrict certificate file permissions by @weypro in #44
- refactor: simplify txc updater set helpers by @nicognaW in #46
- refactor: split pkg/client/client.go into daemon + http_poller + grpc_streamer by @nicognaW in #47
- refactor: extract pkg/cli helpers (Version, LogConfig, WaitForShutdown) by @nicognaW in #45
- refactor: extract cli.LoadTOML, use in server main + client daemon by @nicognaW in #49
- refactor: normalize domain allow-list checks by @nicognaW in #50
- refactor: clean up caddytls module wiring by @nicognaW in #51
- refactor: split server cert entry and store by @nicognaW in #52
- refactor: harden mtls certificate generation by @nicognaW in #53
- fix: make server subscription lifecycle atomic by @nicognaW in #54
- fix: ACME account key + S3 provider crash paths (audit PR 3) by @nicognaW in #55
- fix: retry.Do off-by-one + ctx-aware retry (audit PR 6) by @nicognaW in #57
- fix: make grpc client shutdown ctx-safe by @nicognaW in #58
- fix: txc updater correctness (audit PR 2) by @nicognaW in #59
- fix: standardize log message wording (audit PR 8) by @nicognaW in #62
- fix: pkg/server lifecycle hardening (audit PR 4) by @nicognaW in #61
- fix: route HTTP allowlist rejection through domain.ErrNotAllowed (audit PR 9) by @nicognaW in #63
- refactor: cleanup gRPC Stream ctx + dead shutdown leftovers by @nicognaW in #64
- refactor: atomic cert/key writes (port handler.go from main-refactor) by @nicognaW in #65
- ci: ci (unit + e2e) + matrix release via build.py + dev mode by @nicognaW in #66
- test: broad unit test coverage across pkg/{api,cli,paths,acme,client,config} by @nicognaW in #67
- build: add go.work + GOWORK=off for xcaddy + local-dev docs by @nicognaW in #68
- ci: add caddytls e2e test by @LDLDL in #69
- fix: close and drain HTTP response body by @weypro in #70
- ci: add more unit tests by @LDLDL in #71
New Contributors
Full Changelog: v0.4.5...v0.5.0
v0.4.5
v0.4.4 Release
v0.4.3
What's Changed
- feat: Add http mtls support by @LDLDL in #18
- chore(deps): bump github.com/smallstep/certificates from 0.28.3 to 0.29.0 in /exec/caddytls by @dependabot[bot] in #20
New Contributors
- @dependabot[bot] made their first contribution in #20
Full Changelog: v0.4.1...v0.4.3
v0.4.2
v0.4.0 Release
What's Changed
Full Changelog: v0.3.0...v0.4.0
v0.3.0 Release
What's Changed
- feat: challenger selector by @ExerciseBook in #3
- feat: implement SDS gRPC for client and server by @LDLDL in #5
- chores: Refine logging by @LDLDL in #6
- chores: Adjust google cloud credential config by @LDLDL in #9
- chores: Adjust directory structure by @LDLDL in #10
- feat: caddy support by @ExerciseBook in #12
- Fix some problem in caddy certdx plugin by @LDLDL in #13
- refactor: refine code structure by @LDLDL in #14
Full Changelog: v0.2...v0.3.0
v0.2 Release
What's Changed
- Add Cert-Manager Support by @ExerciseBook in #2
- feat: server support write cache to file by @LDLDL in #4
Full Changelog: v0.1...v0.2
v0.1 Release
Security update fix server not start in https add test argument to client that allow skip verify server certification do not send body "404 page not found" when request non api path and non api method modify validBefore turncate to 1hour